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O Overview 


+ Transit Systems 

+ Reverse Engineering 
+ My Discoveries 

+ The Exploit 

* The Lessons 


O Brief History 


+ The Anatomy of a Subway Hack 
(2008) 


+ NFC Subway Hack (2012) 


+ How to Hack All the Transport 
Networks of a Country (2012) 


* Breaking Korea Transit Card with 
Side-Channel Attack (2017) 


O How This Is Different 


+ This is not illegal 
+We aren't sneaking into the station 
+We aren't hacking their terminals 


+We arent social engineering anyone or 
attacking their wired/wireless network 


# This is not about the hardware 
* We aren't cracking anyone's encryption 
* We aren't cloning the magstripe, RFID, 


O How This Is Different 


+ This Is About 
* Flaws in the Application Logic 


*OK. Cloning is involved but it is not the 
vulnerability exploited 


* Using AppSec to attack Complex Multi- 
Layered Real World Solutions 


© Elevated Train 


* Bangkok Mass Transit System 
(BTS) 


+ Elevated rapid transit system in 
Bangkok, Thailand 


* Serves Greater Bangkok Area 


* Operated by Bangkok Mass Transit 
oystem PCL (BTSC) 


* 43 stations along two lines 


O Tickets 


+ Stored-Value Card (NFC) 


+ All Day Pass (Magstripe) and Single 
Journey (Magstripe) 


O Tickets 


* Two magstripes 
* Hole through one magstripe 
* Only 0.27mm thick 


a Tickets 


Tickets 


D 


Gates 


+ Entering 
+ Exiting 


O Why Them?” 


+ Magstripe Really? 

* There had to be something there! 
* Threatening To For Years 

* Had to Before Moving On ... 


RM 
The Equipment 


* Standard Reader/Writer 
* Manufactured in China 
* Standards or Raw Read 
* Errors Rare 

* Reliable Performance 


l 
The Questions 


* Data Location 

* Encoding Schemes 

* Data Changes 

* Data Meaning 

* System Response 
* Data Tampering 


* Repeating states or out of order 
transitioning 


Je 
Lab Work 


+ Reading the magstripes 
* Decoding the data 


l 
Lab Work 


EQE6421145 7826 FC2E843A DOFF 74 DOC20EFCE0933438 
EQE6421145 7826 FC2E843A DOFF 74 DOC20EFCE0933438 
0x00 


EQE6421145 5826 E62ESE0A OOEQE6 42114558 26E62ESE04 
EDE64211A5 5826 E62ESE0A OOEQE6 42114558 26E62ESE04 
Ox00 


E 
Lab Work 


e * Attempted Decode Using Standards 


* [International Organization for 
otandardization 


* 6-bit Character sets and 4-bit 
Character sets 


* Some With Parity and Some Without 


* Attempted Decode both forwards 
and backwards 


——— m 


Je 
Lab Work 


E0E6421145 7826 FC2ES43A GOFFA DOC20EFCE0933438 
BOR AY 


0x00 


EHER 5826 E62E8E0A HEHE HA 
A Herzen 
0x00 


Known 
Duplicate 


* The section marked “Known” is always 100 + the price of the ticket 


Je 
Lab Work 


+ There is no encryption. 
+ There are no parity checks 


+ There was no longitudinal 
redundancy check (LRC) 


+ There are no timestamps 


E 
Field Work 


* Run Tickets Through The System 
* Vary The Input Each Time 
+See how The Data Changes 


+Use Changes To Identify The 
Meaning 


PAE 
Field Work 


ESE64211A5 7226 FC2bE843A BOP 00C20EFCEQ333438 
BORRA 


POS 5826 E62bEBEÜUA HEHE 
ee 


Known 
Duplicate 


Never Changes (Station to Station, Yearto Year) 
Overwritten on Use 


Date 


Baht 
2017 
2017 
10/23/2017 
10/23/2017 

9/1/2018 


9/19/2018 
9/20/2018 
9/30/2018 
9/30/2018 
10/7/2018 
10/19/2018 
11/1/2018 


Station 


15 Ari 
22 Ari 
16 Ari 
16 Ari 
16 Ari 


Field Work 


D0403AE7 
E0406C15 
A341760E 
75410139 
78401432 


16 Sanam Pao E542D0B4 
16 Sanam Pao E6421145 


16 Ari 
23 Ari 
16 Ari 


32404491 
FF421002 
03430838 


140 Sanam Pao E9D69E36 
140 Sanam Pao E9D64094 


GUID First 


F51CC51D D0D60F 
F52CD5A3 OOD60F 
B02D364D 00D20F 
B02D46D4 OOD60F 
ES1E76ED DOD2OF 
FBIEA6FC DOC20E 
FC2bE843A OOC20E 
062FF509 DOD6EOF 
061F35FF OOD60F 
OD2F7759 D0D20F 
192FE79A N/A 
262FF7C9  Q0820E 


[7 


GUID 


F5A8 8 9A6C5 
F5A8 8 AA67B 
B081 A 60878 
B081 A 72AC5 
E948 A EDA41 
FBD8 8 D38D2 
FCED 9 33438 
0631 D 72460 
0631 D 72498 
0D69 7 408E8 
N/A 
2631 7 E1CCO 


WA Dispenser 


Station 


GUID 


B01COF E948 D 8681B 


801C0F 0D69 9 D6A2C 
801C0F 1909 D SEADA 
QO060F 2631 E 58E52 


y Turn-style 


Station 


Second 
DülCCF12 
E12CDD95 
A42D3E71 
7A2DAE36 
781C7D55 
ESIEAECA 
E62ES8EDA 
322CFF14 
001F3DD1 
O42F 7F 78 
ES2EE6CF 
ES2EF6A3 


PAE 
Field Work 


0x00E078401A327826E91E76EDOOFF7400D20FE948AE0A41 


"Issued" 


0x00E078401A327826E91E76EDOOFF74801COFE948D8681B 


“Used” 


Entering y 


0x00E078401A327826E91E76EDOOFF74801COFE948D8681B 


Exiting "Collected" 


l 
Field Work 


e * For all day passes, the known 
section or "100-price" is used to 
track trips taken. 


* There is a different "Never Changes" 
for All-Day passes. 


SSS AA 
Handling Rules 


e * To Enter, 


* Ticket must have previously been in 
"Collected" State 


Ticket Must Be Now Be In “Issued” 
State 


* To Exit, Ticket Must Be In "Used" 
otate 


——————— 
Research Under A Junta 


* Situation There 
* Legal Rights 


Trying Not To Get Arrested 


(. *Avoiding Security Guards 
* Dip and Dash 
+ Last Resort 


————————— 
Local Attitudes 


e * Punished for Disruptions 
* Wouldn't Notice 
* Wouldn't Care 
* What Procedure? 


* Avoiding Farang 


Az AS 
Exploiting This System 


* What We Have Learned So Far 


* System Safeguards 

+ Their Assumptions 
+ Attacks Against Their Assumptions 
+ Epic Fail! 


at Ve Have Learned So 
Far 


# Object Based 
* Physical Object 
* Database Object 
* Properties 
* Identification 
* Value 
* Location 


at We Have Learne 
Far 


* States 
* |ssued 
* Used 
* Collected 
* History 


RM 
oystem Safeguards 


* Ticket Composition and Ticket 
Design 
* Mirror Physical Object and Database 
Object 


* Handling Rules Define Valid Use of 
The Objects 

* Lifecycle limited to Twenty-Four 
Hours 


N 
Their Assumptions 


# No One Will Be Able to Reproduce 
Our Ticket 


* Our System Has The Only Valid 
Objects 


# Handling Rules Will Prevent 
Concurrent Use 


* Damage is limited by Lifecycle 
+ After Use, Ticket Will Be In Our 


pe SSS MC ON 
Attacks Against Assumptions 


+ Acquire Suitable Ticket 
* Capture Valid Object 
* Bypass Rules 


* Extend the Attack to Increase the 
Damage 


Ez A 
Epic Fail! 


# Found Someone to Make Blank 
Tickets 
* Copied Shit Ton of Objects in 
“Issued” State 
* Found Flaw In the Handling Rules 
“Collected” State found in Current 
Lifecycle 
+ Overrides all other states! 


* a tm m. À 3/9 «X Z 837485 lw PN LEINEN 
4, 


—P———————————————— 
Epic Fail! 


"Collected" 


y 


ze Copy 


user D 
Entering y 


O 


“Collected” “Collected” “Collected” “Collected” 


Exiting 


Epic Fail! 


“Collected” 


Y pa 
SE] Original FANS [E] com [£i] Cory 


“ ” 
issued “Issued” “Issued” 


ome il [ee Copy, [EF] “Copy [EF] Copy 


E “Used” ` "Used" 
Entering 


; Nia: 
ome b Copy ES Copy E =] Copy 
Exiting “Collected” “Collected” “Collected” “Collected” 


E A 
Epic Fail! 


Before Use After Use 
First Magstripe (Hole) First Magstripe [Hole] 
Date Baht Station  Trackdl Track #1 


10/7/2018 16 Ar 0x00€0 03430838 7826 OD2F7759 OOFF 74 00D20F OD697409E8 — OxX00E 03430038 7826 OD2F 7799 OOFF 74 501 C0F 0063906A2C 
10/7/2018 16 Ar 0x00€0 03430838 7826 0D2F 7799 00FF 74 00D20F 0D637408E8 — (X006 03430838 7826 0D2F7739 OOFF 74 80040F (D639F6834 


10/7/2018 16 Ari 0006003420838 78260D2F7753 OOFF74 00D20F 0D637408EB  OXODEO 03430838 7826 0D2F7753 00FF74 80040F 0069026878 


11/1/2018 140 Sanam Pao — OxODEO E9D64094 B846 262FF7C9 DOFFFO 00820E 26317E10C0 Ox00E0 E9D64094 B846 262FF7C9 OOFFEF O0060F 2621E58E52 
11/1/2018 140 Sanam Pao — OxODEO E9D64094 B846 262FF7C9 OOFFFO 00820E 26317E10C0 Ox00E0 E9D64094 B846 262FF7C9 OOFFEF 801 COF 2631ESEEAS 


Epic Fail! (Demonstration) 


Turning The Exploit Into An 
Attack 


* Tickets 


+ Plan 


l 
The Tickets 


Find Cards 


* Punch Holes 


SSS ed 
Finding Cards 


+ REP on Alibaba 


* Running Trails 
* Winning Bid! 


> 
RFP on Alibaba 


* Thousands of Companies (Probably 
Millions) 


* Just Tell Them What You Want 
* Anything That You Need! 
+ They Will Make It For You 


— 
Running Trials 


* Many Offers 


* All failed but one company 
* Couldn't produce the desired 
thickness 


* Took many months to find them 


Winning Bid! 


Winning Bid! 


Punch Holes 


Punch Holes 


——A——————————————— 
The Plan 


* Buy Ticket (Daily Pass) 
* Copy Ticket 

* Use Original 

* Hand Out Copies 

* Have Fun! 

* Repeat Tomorrow! 


Results of The Attack 


Attack Damage 

Daily Pass Counterfeits Baht Us 
$140 B15 B700 $ 22,58 
B140 B30 10 $1,400 $ 45,16 
$140 $3,000 1,000 $140,000 $ 4,516.13 


1 Month $4,258,333 $ — 137,365.59 
6 Months $25,550,000 $ — 824,193.55 
1 Year $51,100,000 $ 1,648,387.10 
5 Years (6255, 500,000) $ 8,241,935.48 


/ 


Extend the attack! 


SROWIF 


Implications for The BTS 


* Millions of Dollars in Losses 


* Loss of Face! 
STS 


AAA 
Response from the BTS 


# Who Are You Again”? 


+ Not Interested! 


The Lessons 


+ For Us 
* For The BTS 


o 


For Us 


* There is no hardware-only solution 
+ Solutions are often complex 
+ There is software in there somewhere 


+ Trusting assumptions can be 
dangerous 

* Don't be afraid of where research 
might lead 

+ Measure your risk wisely before 
proceeding 


For The BTS 


* Don't Let Social Conventions Blind 
You 


+ Not Everyone Thinks Like You 

* Be Willing To Talk to Anyone 

+ Rely on the Evidence 

* You Can Always Cover It Up Later 


Avoiding Their Fate 


+ Test All Layers of a Solution 
+ Test for Application Issues 
+ Check Your Assumptions 


+ Use Compensating and Mitigating 
Controls 


What Are They Doing Now 


+ Deployed Second Generation 

+ Still No Channels for Sharing 

+ Still Ignoring “The Wrong People” 
+ Still Ignoring me 


Final Thoughts 


# Transit Systems Are Fun 

* They Can Also Get You In Trouble 
* You Don't Know Until You Try 

+ Reverse Engineering Is Key 

+ You Got Have Some Balls! 

+ Don't Believe The Hype 

+ AppSec for The Win! 


pp 
Links 


* https://wikileaks.org/wiki/ 
Anatomy_of a Subway_Hack_2008 


+ https://file.wikileaks.org/file/anatomy-of-a-subway-hack.pdf 


+ https://defcon.org/images/defcon-16/dc16-presentations/ 
anderson-ryan-chiesa/47-zack-reply-to-mbta-oppo.pdf 


+ https://www.computerworld.com/article/2597509/def-con-- 
how-to-hack-all-the-transport-networks-of-a-country.html 


+ https://www.cio.com/article/2391654/android-nfc-hack- 
enables-travelers-to-ride-us-subways-for-free-- 


researchers-say.htm 
©) * https://www.youtube.com/watch?v--uvvVMHnC3c 
+ https://www.blackhat.com/docs/asia-1 7/materials/asia-1 7- 
Kim-Breaking-Korea-Transit-Card-With-Side-Channel- 
Attack-Unauthorized-Recharging-wp.pdf 


———————————— 
Links 


e 


https://www.msrdevice.com 


https://www.msrdevice.com/product/misiri-msr705x-hico- 
magnetic-card-reader-writer-encoder-msr607-msr608- 
msr/05-msr/06 


https://www.alibaba.com/ 
https://nexqo.en.alibaba.com 
http://www.nexqo.com/ 
https://www.bts.co.th/ 
http://www.btsgroup.co.th 
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